Tuesday, June 20, 2006

ING Loses Jackson Health & DC Employee's Data

ING-Loses-Jackson-Health-and-DC-Employee's-Data-audio post - click to play

ING, a large financial services firm, is the
recipient
of our weekly "who lost the laptop"
award. This dubious
honor was bestowed
because the company lost not 1 one but

3 computers containing sensitive personal
information
highly sought by identity thieves.


All told, 21,500 people have been effected.

In an all too familiar story closely resembling similar
"lost" laptops, ING waited for months before disclosing
confidential consumer information had been compromised.
As part of the pattern of recent security breaches, the
data of at least one of the stolen computers was not
encrypted (meaning scrambled so that it's not easily
viewable by an identity thief).

As the same sad pattern continues with other more recent
security breaches, a laptop was stolen from the home of
a ING employee in D.C.. In a second incident involving
the data of Jackson Health Systems, ING simply misplaced two
computers containing confidential consumer information
gathered during a voluntary life insurance enrollment
drive in December.

The sensitive consumer information included:

  • Names
  • Date of Birth
  • Social Security Numbers (ssn)

Once again, identity thieves win because of careless
handling of consumer information by a company entrusted
to protect their clients most important asset (personal info).

There's a simple fix to this repeated pattern we unfortunately
learn of seemingly every week now. First, companies or
other entities should not allow employee's to take off
work premises any consumer information - especially
data containing social security numbers or date of births.

It's all to easy to replace those identifiers with a simple
numeric alternative.

Secondly, under no circumstances should companies be allowed
to transport unencrypted consumer data.

We recently learned of a very large credit card issuer which
requires their marketing contractors to even encrypt names
and email addresses when transmitting them to fulfillment
off site vendors.

Imagine if all of these business practices to insure safer
handling of consumer data would be mandated punishable by
law in each instance (meaning effected consumer) of
$10,000 per month the data is missing or stolen.

We would be surprised to see this continuing sad saga
each week of at least 2 - 3 new instances of identity
theft or "lost" consumer data continue to occur.

Tune in next time as we'll expose a shocking but true
story of how one of the very largest credit bureaus
itself became the latest victim to identity theft.

0 Comments:

Post a Comment

<< Home